Activate MFA on the Root Account

Learn how tos secure the root account by enabling MFA.

We'll cover the following

Keeping our account safe#

The root account has massive importance. It has all privileges, including billing, so even if you create an IAM user and give them full administrative privileges to your account, there are still a few privileges that they don’t get. Since the root account has everything, it is an extremely important account, and it’s the one that you really need to secure.

When we talk about multi-factor authentication, we’re talking about using more than one type of tool for authentication. Those different types of authentication can be something you know, like a username and password, something you have, which is a physical device of some sort or something that generates a code, and then there’s something that you are, which means biometrics, for instance, retina scans or fingerprints. In the case of AWS, we’re going to use two factors of authentication. One of them will be something that we know, which is our username and password. The other will be something that we have, and that’s going to be a multifactor authentication device.

In this lesson, we will activate MFA on the root account.

Created with Fabric.js 3.6.3
Open the AWS IAM console

1 of 16

In some cases, you might see that there's also an option to delete your root access keys. In our case, it's ticked; if it's not, you can go into managed security credentials.

2 of 16

Created with Fabric.js 3.6.6
Choose “Access keys”, and you'll see an access key which you'll need to delete. There'll be an option on the right-hand side to delete it.

3 of 16

Created with Fabric.js 3.6.6
Chose the "Multi Factor Authentication" tab and click "Activate MFA".

4 of 16

Created with Fabric.js 3.6.6
We can see here that we have a few options. One of them is a hardware device that will produce a token which you then enter into the console when you log in. Alternatively, you can use a virtual MFA device, and this is what we're going to use.

5 of 16

Created with Fabric.js 3.6.6
We now get a QR code on the screen. We have to click show QR codes to get it, and what you need to do now is install Google Authenticator on your phone.

6 of 16

Created with Fabric.js 3.6.6
Choose the plus.

7 of 16

Created with Fabric.js 3.6.6
Then choose "Scan barcode" and you hold your phone up to your monitor

8 of 16

Created with Fabric.js 3.6.6
You need to enter the first code that you see on the screen. Then you need to choose the second code, which is shown on the screen once the first one expires.

9 of 16

Created with Fabric.js 3.6.6
We've now successfully assigned the virtual MFA device.

10 of 16

Created with Fabric.js 3.6.6
You can always go in and manage this device.

11 of 16

Created with Fabric.js 3.6.6
You can remove it, and you can resync it.

12 of 16

Now what we want to do now is see how this thing works. We can choose "Sign Out" and then sign back into the console.

13 of 16

Created with Fabric.js 3.6.6
Enter your credentials and choose "Sign in".

14 of 16

Created with Fabric.js 3.6.6
It should now ask for the MFA code. We are going to type it in and "Submit".

15 of 16

Created with Fabric.js 3.6.6
Back in the IAM console, we can see that under our security status that we've activated the MFA on the root account.

16 of 16

Hit the RUN button below to open up a browser window here. This will make it easy for you to follow along.

/
Readme.txt

You now have the extra factor of authentication on your account. Even if someone finds out what your password is, they won’t be able to log in without also having access to Google Authenticator on your phone.

Setting up a Billing Alarm

Creating an IAM User and a Group